docker容器的网络连接
- docker容器的网络基础
- docker容器的互联
- docker容器与外部网络的连接
docker容器的网络基础
docker0:linux虚拟网桥
linux虚拟网桥的特点:
- 可以设置ip地址
- 相当于拥有了一个隐藏的虚拟网卡
docker0的地址划分: - IP:172.17.42.1 子网掩码:255.255.0.0
- MAC:02:42:ac:11:00:00到02:42:ac:11:ff:ff
- 总共提供了65534个地址空间
#安装网桥管理工具
apt-get install bridge-utils
#查看网桥设备
brctl show
#修改docker0地址:
$ ifconfig docker0 192.168.200.1 netmask 255.255.255.0
添加虚拟网桥:
1,建立虚拟网桥。
2,在docker配置中添加虚拟网桥使用的定义
#添加虚拟网桥
$ brctl addbr br0
$ ifconfig br0 192.168.100.1 netmask 255.255.255.0
#更改docker守护进程的启动配置
/etc/default/docker 中添加docker_ops值
-b=br0
docker容器的互联
- 允许所有容器互联
- 拒绝容器互联
- 允许特定容器互联
用于测试Docker镜像的Dockfile:
FROM ubuntu:14.04
RUN apt-get install -y ping
RUN apt-get update
RUN apt-get install -y nginx
RUN apt-get install -y curl
EXPOSE 80
CMD /bin/bash
允许所有容器互联(默认)
–icc=true
在docker中设置容器互联
–link
$ cocker run --link=[CONTAINER_NAME]:[ALIAS] [IMAGE] [COMMAND]
egg:
docker run -it --name=cct3 --link=cct1:webtest test/cct#连接到cct1上,并取一个别名webtest
ping webtest#通过别名连接其他容器
拒绝容器访问
docker文件配置
–icc=false
允许特定容器间连接
docker文件配置
–icc=false --iptables=true
–link(用了link的容器允许连接)
iptables -F
systemctl restart docker
docker start cct1 cct2 cct3 cct4
cct1 打开ngin
cct4连接到cct1
docker容器与外部网络的连接
ip_forward
iptables
允许端口映射访问
限制ip访问容器
–ipforward=true(是否会转发流量)
$sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding=1
[root@localhost ~]$ vim /etc/docker/daemon.json
{
"authorization-plugins": [],
"data-root": "", # 设置docker运行时的根目录
"dns": [], # 设置容器的DNS地址
"dns-opts": [], # 设置容器的/etc/resolv.conf文件
"dns-search": [],
"exec-opts": [],
"exec-root": "",
"experimental": false,
"features": {},
"storage-driver": "",
"storage-opts": [],
"labels": [],
"live-restore": true,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-files":"5",
"labels": "somelabel",
"env": "os,customer"
},
"mtu": 0,
"pidfile": "", # 设置docker守护进程的PID文件
"cluster-store": "",
"cluster-store-opts": {},
"cluster-advertise": "",
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
"default-shm-size": "64M",
"shutdown-timeout": 15,
"debug": true, # 是否以debug模式启动docker
"hosts": [], # 设置容器的hosts
"log-level": "",
"tls": true,
"tlsverify": true,
"tlscacert": "",
"tlscert": "",
"tlskey": "",
"swarm-default-advertise-addr": "",
"api-cors-header": "",
"selinux-enabled": false, # 设置是否支持SELinux
"userns-remap": "",
"group": "",
"cgroup-parent": "",
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 64000,
"Soft": 64000
}
},
"init": false,
"init-path": "/usr/libexec/docker-init",
"ipv6": false,
"iptables": false,
"ip-forward": false,
"ip-masq": false,
"userland-proxy": false,
"userland-proxy-path": "/usr/libexec/docker-proxy",
"ip": "0.0.0.0",
"bridge": "",
"bip": "",
"fixed-cidr": "",
"fixed-cidr-v6": "",
"default-gateway": "",
"default-gateway-v6": "",
"icc": false,
"raw-logs": false,
"allow-nondistributable-artifacts": [],
"registry-mirrors": [], # 设置镜像加速地址
"seccomp-profile": "",
"insecure-registries": [], # 设置docker的私有仓库地址
"no-new-privileges": false,
"default-runtime": "runc",
"oom-score-adjust": -500,
"node-generic-resources": ["NVIDIA-GPU=UUID1", "NVIDIA-GPU=UUID2"],
"runtimes": {
"cc-runtime": {
"path": "/usr/bin/cc-runtime"
},
"custom": {
"path": "/usr/local/bin/my-runc-replacement",
"runtimeArgs": [
"--debug"
]
}
},
"default-address-pools":[{"base":"172.80.0.0/16","size":24},
{"base":"172.90.0.0/16","size":24}]
}